Scientific Linux Security Update : pcsc-lite on SL6.x i386/x86_64

This script is Copyright (C) 2013 Tenable Network Security, Inc.


Synopsis :

The remote Scientific Linux host is missing one or more security
updates.

Description :

A stack-based buffer overflow flaw was found in the way pcsc-lite
decoded certain attribute values of Answer-to-Reset (ATR) messages. A
local attacker could use this flaw to execute arbitrary code with the
privileges of the user running the pcscd daemon (root, by default), by
inserting a specially-crafted smart card. (CVE-2010-4531)

This update also fixes the following bugs :

- Due to an error in the init script, the chkconfig
utility did not automatically place the pcscd init
script after the start of the HAL daemon. Consequently,
the pcscd service did not start automatically at boot
time. With this update, the pcscd init script has been
changed to explicitly start only after HAL is up, thus
fixing this bug.

- Because the chkconfig settings and the startup files in
the /etc/rc.d/ directory were not changed during the
update described in the SLBA-2012:0990 advisory, the
user had to update the chkconfig settings manually to
fix the problem. Now, the chkconfig settings and the
startup files in the /etc/rc.d/ directory are
automatically updated as expected.

- Previously, the SCardGetAttrib() function did not work
properly and always returned the
'SCARD_E_INSUFFICIENT_BUFFER' error regardless of the
actual buffer size. This update applies a patch to fix
this bug and the SCardGetAttrib() function now works as
expected.

After installing this update, the pcscd daemon will be restarted
automatically.

See also :

http://www.nessus.org/u?a8660eff

Solution :

Update the affected packages.

Risk factor :

Medium / CVSS Base Score : 4.4
(CVSS2#AV:L/AC:M/Au:N/C:P/I:P/A:P)

Family: Scientific Linux Local Security Checks

Nessus Plugin ID: 64956 ()

Bugtraq ID:

CVE ID: CVE-2010-4531